NAIROBI – A multi-billion-dollar spending spree by Chinese corporations is prompting nations worldwide to re-evaluate the national security risks of foreign investment, a concern with growing relevance for Kenya and the East African region. A pivotal case in the United States, involving the 2015 acquisition of an American insurance company serving CIA and FBI agents by a Chinese conglomerate, serves as a stark illustration of the potential threats lurking in sensitive sectors and offers critical lessons for Kenya's regulatory landscape.

In a transaction that initially flew under the regulatory radar, the Shanghai-based Fosun Group quietly purchased Wright USA, a niche insurer that for decades provided professional liability coverage to America's intelligence and law enforcement personnel. The acquisition was part of Fosun's $2.3 billion takeover of Wright's parent company, Ironshore. The deal, first brought to light in a 2016 report by veteran journalist Jeff Stein, triggered immediate alarm within the U.S. intelligence community. The primary concern was that the personal data of thousands of American security officials—including names, addresses, and job descriptions—could become accessible to a private company with close ties to Beijing's state apparatus.

"Someone with direct knowledge called me up and said, 'Do you know that the insurance company that insures intelligence personnel is owned by the Chinese?'" Stein recounted, expressing his astonishment at the revelation. While the purchase was legal, the intertwined nature of business and state in China meant that the sensitive data was potentially exposed to Chinese intelligence services.

U.S. Regulatory Scrutiny and Divestment

The discovery prompted a swift, post-closing review by the Committee on Foreign Investment in the United States (CFIUS), a powerful but secretive government body that vets foreign deals for national security risks. CFIUS had not initially reviewed the deal, but its subsequent intervention underscored the gravity of the situation. According to reports from June 2016, Fosun and Ironshore voluntarily filed with CFIUS after the committee raised concerns. The pressure from federal investigators and the potential for regulatory action proved decisive. To mitigate the national security risks, Fosun was compelled to act. In September 2016, it was announced that Wright USA would be sold to Starr Companies, a U.S.-based insurance firm led by former AIG CEO Maurice Greenberg. Subsequently, in May 2017, Fosun sold the parent company, Ironshore, to the American firm Liberty Mutual Insurance for approximately $3 billion, completing its divestment from the sensitive sector.

The incident became a catalyst for Washington, contributing to a significant tightening of laws governing foreign investment. Since 2018, the U.S. has expanded CFIUS's authority to block investments in critical technology, infrastructure, and sectors involving sensitive personal data.

Implications for Kenya's Regulatory Framework

While the Fosun-Wright USA case unfolded thousands of miles away, its implications resonate powerfully within Kenya, which has seen a significant influx of Chinese investment, predominantly in infrastructure but increasingly in technology and other sectors. The episode serves as a critical case study for Kenyan regulators, particularly in the context of the country's own legal framework governing data and foreign ownership.

Kenya's Data Protection Act of 2019, closely modeled on Europe's GDPR, establishes a stringent regime for the handling of personal data. The Act has extraterritorial reach, applying to any foreign-based company that processes the personal data of individuals located in Kenya. This places a direct legal obligation on foreign investors to comply with Kenyan privacy standards. Speaking in Nairobi on Tuesday, November 19, 2024, Data Protection Commissioner Immaculate Kassait confirmed that her office is actively seeking Mutual Legal Assistance (MLA) agreements with other countries to enforce the Act against foreign firms that breach the data of Kenyans. "The MLA will assist in investigations when the data controller is based outside Kenya," Ms. Kassait stated, signaling a proactive stance on cross-border data governance.

Furthermore, Kenya's Insurance Act provides specific safeguards against complete foreign control, requiring that at least one-third of the paid-up capital of any insurance company be owned by citizens of East African Community Partner States. This provision ensures a degree of local oversight in a sector that, like banking, handles vast amounts of sensitive personal and financial information.

Balancing Investment and National Interest

The challenge for Kenya is to balance its ambition of attracting significant foreign direct investment—with a stated goal of increasing annual inflows from $500 million to $10 billion by 2027—with the imperative to protect its citizens' data and strategic national interests. Recent major cyberattacks targeting government and private databases in Kenya have heightened public awareness and concern around data security, making the issue a matter of urgent national debate.

While Chinese investment has been credited with fueling critical infrastructure development, including the Standard Gauge Railway, the Fosun-Wright USA affair demonstrates that the potential risks extend beyond debt and into the less visible realms of data sovereignty and security. As foreign investment diversifies into Kenya's financial, tech, and insurance sectors, the lessons from the U.S. experience underscore the need for vigilant, proactive, and robust regulatory enforcement to ensure that foreign capital serves Kenya's interests without compromising its security.